1SHOREWALL-TUNNELS(5)          Configuration Files         SHOREWALL-TUNNELS(5)
2
3
4

NAME

6       tunnels - Shorewall VPN definition file
7

SYNOPSIS

9       /etc/shorewall[6]/tunnels
10

DESCRIPTION

12       The tunnels file is used to define rules for encapsulated (usually
13       encrypted) traffic to pass between the Shorewall system and a remote
14       gateway. Traffic flowing through the tunnel is handled using the normal
15       zone/policy/rule mechanism. See
16       http://www.shorewall.net/VPNBasics.html[1] for details.
17
18       The columns in the file are as follows.
19
20       TYPE -
21       {ipsec[:{noah|ah}]|ipsecnat|ipip|gre|l2tp|pptpclient|pptpserver|?COMMENT|{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|generic:protocol[:port]}
22           Types are as follows:
23
24                       6to4 or 6in4  - 6to4 or 6in4 tunnel. The 6in4 synonym was added in 4.4.24.
25                       ipsec         - IPv4 IPSEC
26                       ipsecnat      - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
27                       ipip          - IPv4 encapsulated in IPv4 (Protocol 4)
28                       gre           - Generalized Routing Encapsulation (Protocol 47)
29                       l2tp          - Layer 2 Tunneling Protocol (UDP port 1701)
30                       pptpclient    - PPTP Client runs on the firewall
31                       pptpserver    - PPTP Server runs on the firewall
32                       openvpn       - OpenVPN in point-to-point mode
33                       openvpnclient - OpenVPN client runs on the firewall
34                       openvpnserver - OpenVPN server runs on the firewall
35                       generic       - Other tunnel type
36                       tinc          - TINC (added in Shorewall 4.6.6)
37
38           If the type is ipsec, it may be followed by :ah to indicate that
39           the Authentication Headers protocol (51) is used by the tunnel (the
40           default is :noah which means that protocol 51 is not used). NAT
41           traversal is only supported with ESP (protocol 50) so ipsecnat
42           tunnels don't allow the ah option (ipsecnat:noah may be specified
43           but is redundant).
44
45           If type is openvpn, openvpnclient or openvpnserver it may
46           optionally be followed by ":" and tcp or udp to specify the
47           protocol to be used. If not specified, udp is assumed.
48
49           If type is openvpn, openvpnclient or openvpnserver it may
50           optionally be followed by ":" and the port number used by the
51           tunnel. if no ":" and port number are included, then the default
52           port of 1194 will be used. . Where both the protocol and port are
53           specified, the protocol must be given first (e.g.,
54           openvpn:tcp:4444).
55
56           If type is generic, it must be followed by ":" and a protocol name
57           (from /etc/protocols) or a protocol number. If the protocol is tcp
58           or udp (6 or 17), then it may optionally be followed by ":" and a
59           port number.
60
61           Comments may be attached to Netfilter rules generated from entries
62           in this file through the use of /COMMENT lines. These lines begin
63           with ?COMMENT; the remainder of the line is treated as a comment
64           which is attached to subsequent rules until another ?COMMENT line
65           is found or until the end of the file is reached. To stop adding
66           comments to rules, use a line containing only ?COMMENT.
67
68               Note
69               Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
70               COMMENT and is preferred.
71
72       ZONE - zone
73           The zone of the physical interface through which tunnel traffic
74           passes. This is normally your internet zone.
75
76       GATEWAY(S) (gateway or gateways) - address-or-range [ , ... ]
77           The IP address of the remote tunnel gateway. If the remote gateway
78           has no fixed address (Road Warrior) then specify the gateway as
79           0.0.0.0/0. May be specified as a network address and if your kernel
80           and iptables include iprange match support then IP address ranges
81           are also allowed.
82
83           Beginning with Shorewall 4.5.3, a list of addresses or ranges may
84           be given. Exclusion (shorewall-exclusion[2] (5) ) is not supported.
85
86       GATEWAY ZONES (gateway_zone or gateway_zones) - [zone[,zone]...]
87           Optional. If the gateway system specified in the third column is a
88           standalone host then this column should contain a comma-separated
89           list of the names of the zones that the host might be in. This
90           column only applies to IPSEC tunnels where it enables ISAKMP
91           traffic to flow through the tunnel to the remote gateway(s).
92

EXAMPLE

94       IPv4 Example 1:
95           IPSec tunnel.
96
97           The remote gateway is 4.33.99.124 and the remote subnet is
98           192.168.9.0/24. The tunnel does not use the AH protocol
99
100                       #TYPE           ZONE    GATEWAY
101                       ipsec:noah      net     4.33.99.124
102
103       IPv4 Example 2:
104           Road Warrior (LapTop that may connect from anywhere) where the "gw"
105           zone is used to represent the remote LapTop
106
107                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
108                       ipsec           net     0.0.0.0/0       gw
109
110       IPv4 Example 3:
111           Host 4.33.99.124 is a standalone system connected via an ipsec
112           tunnel to the firewall system. The host is in zone gw.
113
114                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
115                       ipsec           net     4.33.99.124     gw
116
117       IPv4 Example 4:
118           Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
119           FreeS/Wan _updown script will add the host to the appropriate zone
120           using the shorewall add command on connect and will remove the host
121           from the zone at disconnect time.
122
123                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
124                       ipsec           net     0.0.0.0/0       vpn1,vpn2,vpn3
125
126       IPv4 Example 5:
127           You run the Linux PPTP client on your firewall and connect to
128           server 192.0.2.221.
129
130                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
131                       pptpclient      net     192.0.2.221
132
133       IPv4 Example 6:
134           You run a PPTP server on your firewall.
135
136                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
137                       pptpserver      net     0.0.0.0/0
138
139       Example 7:
140           OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn uses
141           port 7777.
142
143                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
144                       openvpn:7777    net     4.33.99.124
145
146       IPv4 Example 8:
147           You have a tunnel that is not one of the supported types. Your
148           tunnel uses UDP port 4444. The other end of the tunnel is
149           4.3.99.124.
150
151                       #TYPE            ZONE    GATEWAY         GATEWAY ZONES
152                       generic:udp:4444 net     4.3.99.124
153
154       IPv4 Example 9:
155           TINC tunnel where the remote gateways are not specified. If you
156           wish to specify a list of gateways, you can do so in the GATEWAY
157           column.
158
159                       #TYPE            ZONE    GATEWAY          GATEWAY ZONES
160                       tinc             net     0.0.0.0/0
161
162       IPv6 Example 1:
163           IPSec tunnel.
164
165           The remote gateway is 2001:cec792b4:1::44. The tunnel does not use
166           the AH protocol
167
168                       #TYPE           ZONE    GATEWAY
169                       ipsec:noah      net     2002:cec792b4:1::44
170
171       IPv6 Example 2:
172           Road Warrior (LapTop that may connect from anywhere) where the "gw"
173           zone is used to represent the remote LapTop
174
175                       #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
176                       ipsec           net     ::/0                    gw
177
178       IPv6 Example 3:
179           Host 2001:cec792b4:1::44 is a standalone system connected via an
180           ipsec tunnel to the firewall system. The host is in zone gw.
181
182                       #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
183                       ipsec           net     2001:cec792b4:1::44     gw
184
185       IPv6 Example 4:
186           OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
187           openvpn uses port 7777.
188
189                       #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
190                       openvpn:7777    net     2001:cec792b4:1::44
191
192       IPv6 Example 8:
193           You have a tunnel that is not one of the supported types. Your
194           tunnel uses UDP port 4444. The other end of the tunnel is
195           2001:cec792b4:1::44.
196
197                       #TYPE            ZONE    GATEWAY                GATEWAY ZONES
198                       generic:udp:4444 net     2001:cec792b4:1::44
199
200       IPv6 Example 9:
201           TINC tunnel where the remote gateways are not specified. If you
202           wish to specify a list of gateways, you can do so in the GATEWAY
203           column.
204
205                       #TYPE            ZONE    GATEWAY          GATEWAY ZONES
206                       tinc             net     ::/0
207

FILES

209       /etc/shorewall/tunnels
210
211       /etc/shorewall6/tunnels
212

SEE ALSO

214       http://www.shorewall.net/configuration_file_basics.htm#Pairs[3]
215
216       shorewall(8)
217

NOTES

219        1. http://www.shorewall.net/VPNBasics.html
220           https://shorewall.org/VPNBasics.html
221
222        2. shorewall-exclusion
223           https://shorewall.org/manpages/shorewall-exclusion.html
224
225        3. http://www.shorewall.net/configuration_file_basics.htm#Pairs
226           https://shorewall.org/configuration_file_basics.htm#Pairs
227
228
229
230Configuration Files               01/15/2020              SHOREWALL-TUNNELS(5)
Impressum